Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unauthorized user administration


  • Please log in to reply
5 replies to this topic

#1 Balumankala

Balumankala

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 16 May 2015 - 07:33 AM

Hello Memebers,

 

I need your help regarding a topic "Unauthorized user administration".

 

I need to implement few usecases in our SIEM tool which triggers an alert when there is an "unauthorized administration is detected".

 

Scope is on windows and linux operating systems.

 

* Creating a local account on a workstation.

* Creating a local admin group on a workstation.

* Add user to a local admin group on a workstation.

* User password set to never expire.

* Admin account password reset.

 

Can you think of any other scenarios which can be considered as "unauthorized user administration"

 

Thanks in advance. 



BC AdBot (Login to Remove)

 


#2 Balumankala

Balumankala
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 17 May 2015 - 07:20 AM

No windows experts or sys admins here  :( ??



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 17 May 2015 - 08:21 AM

What is considered "authorized user administration" in your organization? Who is allowed to administer user accounts?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Balumankala

Balumankala
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 17 May 2015 - 09:21 PM

A "dedicated team" and few "dedicated accounts" 



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 18 May 2015 - 02:45 AM

Then you collect all events on user administration by this team over a period of several months, and use that as a baseline.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 erdemmulutas

erdemmulutas

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 03 May 2016 - 07:06 AM

Well this is an old topic but I'm going to answer anyway. Also this is my first post. Sorry I didn't read the forum rules. Forgive me but I'm sure I'm gonna violate some of them in this reply. 

 

I'm using Logsign(https://www.logsign.com/) as SIEM product. I'm System Analyst in a company. I can only answer the Windows side alert rules for you question.

 

Creating a local account on a workstation.

EventSource.Product:"Windows" EventMap.Type:"User" EventMap.SubType:"Add"

 

What this means is Logsign has columns for events. Each column can have values(Windows, User, Add). I didn't use any other SIEM application. Because of this I can only answer you question for my own environment.

 

But our SIEM application has also Event.VendorID column for Windows event codes. For example I use https://www.ultimatewindowssecurity.com/ for windows event codes.

 

In our example of creating a new user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 see this.

 

You can also find other event codes in this website.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users